troubleshooting Archives -

List All Hosts Associated with All Indexes

Using the Splunk Tstats command you can quickly list all hosts associated with all indexes:

|tstats values(host) where index=* by index

1	\|tstats values(host) where index=* by index

Continue Reading →

Hosts Taking a Long Time to Scan – Qualys

The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype:

sourcetype="qualys:hostDetection" eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION

1	sourcetype="qualys:hostDetection" eventtype=qualys_host_summary_event SCAN_DURATION> 1800 \| sort -SCAN_DURATION \| table IP, DNS, OS, SCAN_DURATION

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

How to Check When Splunk is finished Indexing a log file

How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching data from splunk’s metrics log in real-time. ************************************************************

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="your_sourcetype_here" | eval MB=kb/1024 | chart sum(MB)

1	index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="your_sourcetype_here" \| eval MB=kb/1024 \| chart sum(MB)

************************************************************ or to watch everything happening split by sourcetype…. ************************************************************

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series

1	index="_internal" source="*metrics.log" group="per_sourcetype_thruput" \| eval MB=kb/1024 \| chart sum(MB) avg(eps) over series

************************************************************ And if you’re having trouble […]

Continue Reading →

Total Number of Hosts reporting in.

This query will list the total number of hosts reporting to the indexer for any specified time range. This only works for universal forwarders. If you have hosts reporting in over syslog (typically port 514) they will not be listed.

index=_internal sourcetype=splunkd | stats dc(hostname) as "Number of Hosts"

1	index=_internal sourcetype=splunkd \| stats dc(hostname) as "Number of Hosts"

Continue Reading →

Detailed list of Universal Forwarders Reporting to Indexer

The following query will list in detail information on the universal forwarders checking into the indexer. I’ve renamed some of the fields to be more user-friendly.

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

Continue Reading →

Tag: troubleshooting

List All Hosts Associated with All Indexes

Hosts Taking a Long Time to Scan – Qualys

How to Check When Splunk is finished Indexing a log file

Total Number of Hosts reporting in.

Detailed list of Universal Forwarders Reporting to Indexer